Mozilla has released an update to version 15 of Firefox to correct a bug in the web browser’s Private Browsing feature. Private Browsing is intended to allow users to browse the internet without saving any data about the sites and pages they’ve visited. However an error in the recent Firefox 15.0 release meant that Firefox was storing sites visited in its cache while Private Browsing was enabled.
According to the Bugzilla entry for the problem, upon turning off Private Browsing mode, this cached information could still be manually accessed or read by using a Firefox add-on such as CacheViewer Continued or other tools.
Firefox 15.0.1 is available to download for Windows, Mac OS X and Linux from the project’s site. Existing users should receive an automated update notification; alternatively, users can manually check for the update.
Mozilla has detailed the security vulnerabilities that have been fixed in both products. The fixes include seven critical vulnerabilities in Firefox, five of which are also present in Thunderbird. All in all, the new version of Firefox addresses 16 vulnerabilities while the new Thunderbird version closes 12 holes.
The bug fixes close several memory-related critical vulnerabilities that could be exploited by remote attackers to execute arbitrary code on a target system. Both Firefox and Thunderbird were affected by a vulnerability that allowed an attacker to inject code into the web console and use eval() to run it in a privileged context. This could allow malicious sites to execute arbitrary code when the console is invoked by the user. This problem, rated as high on Mozilla’s scale, has now been fixed. Further security vulnerabilities, two of them rated critical, were closed in the Graphite 2 library, in WebGL and in the SVG rendering engine which are all used by both Firefox and Thunderbird.
Complete lists of all fixed vulnerabilities are available for Firefox and Thunderbird. This information is also available for SeaMonkey; version 2.12 of SeaMonkey fixes the same vulnerabilities as Thunderbird 15.
Mozilla has also released new versions of the Extended Support Releases (ESR) for both Firefox and Thunderbird. Firefox ESR 10.0.7 fixes ten vulnerabilities, five of which are critical, while Thunderbird ESR 10.0.7 closes the same five critical vulnerabilities, closing nine security holes in total.
A new security feature in Firefox 15 that is worth noting is the ability for the browser to automatically update itself in the background. Firefox will now install all updates behind the scenes and only prompts users to restart the browser afterwards to apply the updates.